Each sub-sub folder (C,D,F,G) has a corresponding AD group. I want allow only users who are members of a sub-sub-folder's group to access it, but i still want to allow the sub folders (B,E) to be browsed by everyone. (i.e. people can see C,D,F,G but cant access their contents)

I hope that makes sense.

I tried to do this:

Edit the permissions of the sub folders (B,E) and turn off "inherited permissions", but copied them rather than removing them. I then set them to not cascade down to children (this folder only).

This mean't that i could create the sub-sub folders (C,D,F,G) but then couldn't access them. This is what i wanted and as i expected. I then planned to add modify rights to the sub-sub folders for their respective groups, and added myself to a couple of the groups to test it out.

However, when i tried to assign the group-modify permission i get a generic "access denied" message. I thought it might be because i didnt have change permission rights on the sub-sub folders, so i modified the sub folders to cascade down "Change permissions" but that didnt help :(

Any ideas why I cant get this to work? I'm in Windows server 2008r1

All the users are Administrators by the way (this has to be the case)

Edit: I don't want to assign deny rights to all the groups that are not allowed to access a particular sub-sub folder as in reality this tree will be massive and that would create a maintenance nightmare!

yeah i dont mind that they could override it, company policy can govern that. i just want to make it so inorder to see that data, they'd have had to deliberately hacked in. ill try your suggestion...
–
Andrew BullockSep 1 '10 at 15:11

Ive done this, but then i cant get into C,D,E,F "You do not currently have permission to access this folder". I am in the group which i have granted Modify to. :(
–
Andrew BullockSep 1 '10 at 15:24

Did you just create the groups, or add yourself to the group since you last rebooted your computer? If so, restart your computer.
–
Chris S♦Sep 1 '10 at 15:27

Admins do not need to have full control. They only need read/change perms and traverse folder
–
Jim BSep 1 '10 at 15:32